| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.247036337.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://en.w |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.246382239.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.246270583.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://fontfabrik.comj |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253864499.0000000006043000.00000004.00000001.sdmp | String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlh |
| Source: explorer.exe, 00000008.00000000.308790689.0000000006870000.00000004.00000001.sdmp | String found in binary or memory: http://www.autoitscript.com/autoit3/J |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.com |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252313565.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.com) |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.com-se |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.com0 |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252560675.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.com? |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252833728.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.comMic |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.comTCd |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coma |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252394694.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.comak |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252349501.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.comd |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252876215.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.comexc |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252434713.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml-g |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252560675.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml-se |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.como._ |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252225171.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.comof |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252225171.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.comona |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.comue |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252876215.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.comypoC |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.257664415.0000000006041000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.257568508.0000000006041000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256412762.0000000006041000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/ |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256690000.0000000006041000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/0 |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258643842.000000000605E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258643842.000000000605E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258314127.000000000605E000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.258167734.0000000006041000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258749887.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers0. |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258749887.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers3 |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.259100620.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersD |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256499107.0000000006041000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersH |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251297242.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn( |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251510361.0000000006040000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/ |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn0 |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cncom |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cnicr |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.262778713.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.260576945.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250819017.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kX |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250685229.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr-cY |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250819017.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.krV |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.260424917.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.monotype. |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.245363117.0000000006022000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.245363117.0000000006022000.00000004.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.comt |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253704425.0000000006043000.00000004.00000001.sdmp | String found in binary or memory: http://www.sakkal.com3 |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253864499.0000000006043000.00000004.00000001.sdmp | String found in binary or memory: http://www.sakkal.com9 |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250514753.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kra-e# |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252797134.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252833728.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.tiro.comw |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.259240750.0000000006047000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.256166829.0000000006041000.00000004.00000001.sdmp | String found in binary or memory: http://www.urwpp.de |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256226500.0000000006041000.00000004.00000001.sdmp | String found in binary or memory: http://www.urwpp.deA |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn0 |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cncom |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cnk |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cno.E |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cno.U |
| Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cnue |
| Source: cmd.exe, 00000017.00000002.521651760.0000000003C32000.00000004.00020000.sdmp | String found in binary or memory: https://www.438451.com/t75f/?IL3h=1BeMm2dWByn9xv9J99R2XzKkk0MJMO8GKUMNYM3ZZNvYMz7ACarE0KIXHaUrAW4HLV |
| Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_004185C0 NtCreateFile, | 6_2_004185C0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00418670 NtReadFile, | 6_2_00418670 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_004186F0 NtClose, | 6_2_004186F0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_004187A0 NtAllocateVirtualMemory, | 6_2_004187A0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0041866C NtReadFile, | 6_2_0041866C |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_004186EA NtClose, | 6_2_004186EA |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA98F0 NtReadVirtualMemory,LdrInitializeThunk, | 6_2_00FA98F0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9860 NtQuerySystemInformation,LdrInitializeThunk, | 6_2_00FA9860 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9840 NtDelayExecution,LdrInitializeThunk, | 6_2_00FA9840 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA99A0 NtCreateSection,LdrInitializeThunk, | 6_2_00FA99A0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 6_2_00FA9910 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9A50 NtCreateFile,LdrInitializeThunk, | 6_2_00FA9A50 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9A20 NtResumeThread,LdrInitializeThunk, | 6_2_00FA9A20 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9A00 NtProtectVirtualMemory,LdrInitializeThunk, | 6_2_00FA9A00 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA95D0 NtClose,LdrInitializeThunk, | 6_2_00FA95D0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9540 NtReadFile,LdrInitializeThunk, | 6_2_00FA9540 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA96E0 NtFreeVirtualMemory,LdrInitializeThunk, | 6_2_00FA96E0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9660 NtAllocateVirtualMemory,LdrInitializeThunk, | 6_2_00FA9660 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9FE0 NtCreateMutant,LdrInitializeThunk, | 6_2_00FA9FE0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA97A0 NtUnmapViewOfSection,LdrInitializeThunk, | 6_2_00FA97A0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9780 NtMapViewOfSection,LdrInitializeThunk, | 6_2_00FA9780 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9710 NtQueryInformationToken,LdrInitializeThunk, | 6_2_00FA9710 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA98A0 NtWriteVirtualMemory, | 6_2_00FA98A0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FAB040 NtSuspendThread, | 6_2_00FAB040 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9820 NtEnumerateKey, | 6_2_00FA9820 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA99D0 NtCreateProcessEx, | 6_2_00FA99D0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9950 NtQueueApcThread, | 6_2_00FA9950 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9A80 NtOpenDirectoryObject, | 6_2_00FA9A80 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9A10 NtQuerySection, | 6_2_00FA9A10 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FAA3B0 NtGetContextThread, | 6_2_00FAA3B0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9B00 NtSetValueKey, | 6_2_00FA9B00 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA95F0 NtQueryInformationFile, | 6_2_00FA95F0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9560 NtWriteFile, | 6_2_00FA9560 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FAAD30 NtSetContextThread, | 6_2_00FAAD30 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9520 NtWaitForSingleObject, | 6_2_00FA9520 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA96D0 NtCreateKey, | 6_2_00FA96D0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9670 NtQueryInformationProcess, | 6_2_00FA9670 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9650 NtQueryValueKey, | 6_2_00FA9650 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9610 NtEnumerateValueKey, | 6_2_00FA9610 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9770 NtSetInformationFile, | 6_2_00FA9770 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FAA770 NtOpenThread, | 6_2_00FAA770 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9760 NtOpenProcess, | 6_2_00FA9760 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA9730 NtQueryVirtualMemory, | 6_2_00FA9730 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FAA710 NtOpenProcessToken, | 6_2_00FAA710 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_008758A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, | 23_2_008758A4 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_008784BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx, | 23_2_008784BE |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0087B4C0 NtQueryInformationToken, | 23_2_0087B4C0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0087B4F8 NtQueryInformationToken,NtQueryInformationToken, | 23_2_0087B4F8 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0087B42E NtOpenThreadToken,NtOpenProcessToken,NtClose, | 23_2_0087B42E |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_00896D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, | 23_2_00896D90 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0089B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, | 23_2_0089B5E0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_00899AB4 NtSetInformationFile, | 23_2_00899AB4 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_008783F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, | 23_2_008783F2 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9710 NtQueryInformationToken,LdrInitializeThunk, | 23_2_035E9710 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9FE0 NtCreateMutant,LdrInitializeThunk, | 23_2_035E9FE0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9780 NtMapViewOfSection,LdrInitializeThunk, | 23_2_035E9780 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9A50 NtCreateFile,LdrInitializeThunk, | 23_2_035E9A50 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E96D0 NtCreateKey,LdrInitializeThunk, | 23_2_035E96D0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E96E0 NtFreeVirtualMemory,LdrInitializeThunk, | 23_2_035E96E0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9540 NtReadFile,LdrInitializeThunk, | 23_2_035E9540 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 23_2_035E9910 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E95D0 NtClose,LdrInitializeThunk, | 23_2_035E95D0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E99A0 NtCreateSection,LdrInitializeThunk, | 23_2_035E99A0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9840 NtDelayExecution,LdrInitializeThunk, | 23_2_035E9840 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9860 NtQuerySystemInformation,LdrInitializeThunk, | 23_2_035E9860 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9770 NtSetInformationFile, | 23_2_035E9770 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035EA770 NtOpenThread, | 23_2_035EA770 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9760 NtOpenProcess, | 23_2_035E9760 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035EA710 NtOpenProcessToken, | 23_2_035EA710 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9B00 NtSetValueKey, | 23_2_035E9B00 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9730 NtQueryVirtualMemory, | 23_2_035E9730 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035EA3B0 NtGetContextThread, | 23_2_035EA3B0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E97A0 NtUnmapViewOfSection, | 23_2_035E97A0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9650 NtQueryValueKey, | 23_2_035E9650 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9670 NtQueryInformationProcess, | 23_2_035E9670 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9660 NtAllocateVirtualMemory, | 23_2_035E9660 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9610 NtEnumerateValueKey, | 23_2_035E9610 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9A10 NtQuerySection, | 23_2_035E9A10 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9A00 NtProtectVirtualMemory, | 23_2_035E9A00 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9A20 NtResumeThread, | 23_2_035E9A20 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9A80 NtOpenDirectoryObject, | 23_2_035E9A80 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9950 NtQueueApcThread, | 23_2_035E9950 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9560 NtWriteFile, | 23_2_035E9560 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035EAD30 NtSetContextThread, | 23_2_035EAD30 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9520 NtWaitForSingleObject, | 23_2_035E9520 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E99D0 NtCreateProcessEx, | 23_2_035E99D0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E95F0 NtQueryInformationFile, | 23_2_035E95F0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035EB040 NtSuspendThread, | 23_2_035EB040 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E9820 NtEnumerateKey, | 23_2_035E9820 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E98F0 NtReadVirtualMemory, | 23_2_035E98F0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E98A0 NtWriteVirtualMemory, | 23_2_035E98A0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h] | 6_2_00FFB8D0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FFB8D0 mov ecx, dword ptr fs:[00000030h] | 6_2_00FFB8D0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h] | 6_2_00FFB8D0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h] | 6_2_00FFB8D0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h] | 6_2_00FFB8D0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h] | 6_2_00FFB8D0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9F0BF mov ecx, dword ptr fs:[00000030h] | 6_2_00F9F0BF |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9F0BF mov eax, dword ptr fs:[00000030h] | 6_2_00F9F0BF |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9F0BF mov eax, dword ptr fs:[00000030h] | 6_2_00F9F0BF |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA90AF mov eax, dword ptr fs:[00000030h] | 6_2_00FA90AF |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F69080 mov eax, dword ptr fs:[00000030h] | 6_2_00F69080 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FE3884 mov eax, dword ptr fs:[00000030h] | 6_2_00FE3884 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FE3884 mov eax, dword ptr fs:[00000030h] | 6_2_00FE3884 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F80050 mov eax, dword ptr fs:[00000030h] | 6_2_00F80050 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F80050 mov eax, dword ptr fs:[00000030h] | 6_2_00F80050 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h] | 6_2_00F7B02A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h] | 6_2_00F7B02A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h] | 6_2_00F7B02A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h] | 6_2_00F7B02A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FE7016 mov eax, dword ptr fs:[00000030h] | 6_2_00FE7016 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FE7016 mov eax, dword ptr fs:[00000030h] | 6_2_00FE7016 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FE7016 mov eax, dword ptr fs:[00000030h] | 6_2_00FE7016 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01034015 mov eax, dword ptr fs:[00000030h] | 6_2_01034015 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01034015 mov eax, dword ptr fs:[00000030h] | 6_2_01034015 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6B1E1 mov eax, dword ptr fs:[00000030h] | 6_2_00F6B1E1 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6B1E1 mov eax, dword ptr fs:[00000030h] | 6_2_00F6B1E1 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6B1E1 mov eax, dword ptr fs:[00000030h] | 6_2_00F6B1E1 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01022073 mov eax, dword ptr fs:[00000030h] | 6_2_01022073 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01031074 mov eax, dword ptr fs:[00000030h] | 6_2_01031074 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F8C182 mov eax, dword ptr fs:[00000030h] | 6_2_00F8C182 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9A185 mov eax, dword ptr fs:[00000030h] | 6_2_00F9A185 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6B171 mov eax, dword ptr fs:[00000030h] | 6_2_00F6B171 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6B171 mov eax, dword ptr fs:[00000030h] | 6_2_00F6B171 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F8B944 mov eax, dword ptr fs:[00000030h] | 6_2_00F8B944 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F8B944 mov eax, dword ptr fs:[00000030h] | 6_2_00F8B944 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9513A mov eax, dword ptr fs:[00000030h] | 6_2_00F9513A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9513A mov eax, dword ptr fs:[00000030h] | 6_2_00F9513A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h] | 6_2_00F84120 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h] | 6_2_00F84120 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h] | 6_2_00F84120 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h] | 6_2_00F84120 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F84120 mov ecx, dword ptr fs:[00000030h] | 6_2_00F84120 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F69100 mov eax, dword ptr fs:[00000030h] | 6_2_00F69100 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F69100 mov eax, dword ptr fs:[00000030h] | 6_2_00F69100 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F69100 mov eax, dword ptr fs:[00000030h] | 6_2_00F69100 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0102131B mov eax, dword ptr fs:[00000030h] | 6_2_0102131B |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9FAB0 mov eax, dword ptr fs:[00000030h] | 6_2_00F9FAB0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h] | 6_2_00F652A5 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h] | 6_2_00F652A5 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h] | 6_2_00F652A5 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h] | 6_2_00F652A5 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h] | 6_2_00F652A5 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01038B58 mov eax, dword ptr fs:[00000030h] | 6_2_01038B58 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9D294 mov eax, dword ptr fs:[00000030h] | 6_2_00F9D294 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9D294 mov eax, dword ptr fs:[00000030h] | 6_2_00F9D294 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA927A mov eax, dword ptr fs:[00000030h] | 6_2_00FA927A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0101D380 mov ecx, dword ptr fs:[00000030h] | 6_2_0101D380 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0102138A mov eax, dword ptr fs:[00000030h] | 6_2_0102138A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01035BA5 mov eax, dword ptr fs:[00000030h] | 6_2_01035BA5 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h] | 6_2_00F69240 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h] | 6_2_00F69240 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h] | 6_2_00F69240 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h] | 6_2_00F69240 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0101B260 mov eax, dword ptr fs:[00000030h] | 6_2_0101B260 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0101B260 mov eax, dword ptr fs:[00000030h] | 6_2_0101B260 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01038A62 mov eax, dword ptr fs:[00000030h] | 6_2_01038A62 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F71B8F mov eax, dword ptr fs:[00000030h] | 6_2_00F71B8F |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F71B8F mov eax, dword ptr fs:[00000030h] | 6_2_00F71B8F |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F93B7A mov eax, dword ptr fs:[00000030h] | 6_2_00F93B7A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F93B7A mov eax, dword ptr fs:[00000030h] | 6_2_00F93B7A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6DB60 mov ecx, dword ptr fs:[00000030h] | 6_2_00F6DB60 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6F358 mov eax, dword ptr fs:[00000030h] | 6_2_00F6F358 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6DB40 mov eax, dword ptr fs:[00000030h] | 6_2_00F6DB40 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01038D34 mov eax, dword ptr fs:[00000030h] | 6_2_01038D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F8746D mov eax, dword ptr fs:[00000030h] | 6_2_00F8746D |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FFC450 mov eax, dword ptr fs:[00000030h] | 6_2_00FFC450 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FFC450 mov eax, dword ptr fs:[00000030h] | 6_2_00FFC450 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9BC2C mov eax, dword ptr fs:[00000030h] | 6_2_00F9BC2C |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01018DF1 mov eax, dword ptr fs:[00000030h] | 6_2_01018DF1 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h] | 6_2_00FE6C0A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h] | 6_2_00FE6C0A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h] | 6_2_00FE6C0A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h] | 6_2_00FE6C0A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] | 6_2_01021C06 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0103740D mov eax, dword ptr fs:[00000030h] | 6_2_0103740D |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0103740D mov eax, dword ptr fs:[00000030h] | 6_2_0103740D |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0103740D mov eax, dword ptr fs:[00000030h] | 6_2_0103740D |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F935A1 mov eax, dword ptr fs:[00000030h] | 6_2_00F935A1 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9FD9B mov eax, dword ptr fs:[00000030h] | 6_2_00F9FD9B |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9FD9B mov eax, dword ptr fs:[00000030h] | 6_2_00F9FD9B |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h] | 6_2_00F62D8A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h] | 6_2_00F62D8A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h] | 6_2_00F62D8A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h] | 6_2_00F62D8A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h] | 6_2_00F62D8A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F8C577 mov eax, dword ptr fs:[00000030h] | 6_2_00F8C577 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F8C577 mov eax, dword ptr fs:[00000030h] | 6_2_00F8C577 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F87D50 mov eax, dword ptr fs:[00000030h] | 6_2_00F87D50 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FA3D43 mov eax, dword ptr fs:[00000030h] | 6_2_00FA3D43 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FE3540 mov eax, dword ptr fs:[00000030h] | 6_2_00FE3540 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F94D3B mov eax, dword ptr fs:[00000030h] | 6_2_00F94D3B |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F94D3B mov eax, dword ptr fs:[00000030h] | 6_2_00F94D3B |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F94D3B mov eax, dword ptr fs:[00000030h] | 6_2_00F94D3B |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] | 6_2_00F73D34 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6AD30 mov eax, dword ptr fs:[00000030h] | 6_2_00F6AD30 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01038CD6 mov eax, dword ptr fs:[00000030h] | 6_2_01038CD6 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_010214FB mov eax, dword ptr fs:[00000030h] | 6_2_010214FB |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0103070D mov eax, dword ptr fs:[00000030h] | 6_2_0103070D |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0103070D mov eax, dword ptr fs:[00000030h] | 6_2_0103070D |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F776E2 mov eax, dword ptr fs:[00000030h] | 6_2_00F776E2 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F916E0 mov ecx, dword ptr fs:[00000030h] | 6_2_00F916E0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F936CC mov eax, dword ptr fs:[00000030h] | 6_2_00F936CC |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FE46A7 mov eax, dword ptr fs:[00000030h] | 6_2_00FE46A7 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01038F6A mov eax, dword ptr fs:[00000030h] | 6_2_01038F6A |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FFFE87 mov eax, dword ptr fs:[00000030h] | 6_2_00FFFE87 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F7766D mov eax, dword ptr fs:[00000030h] | 6_2_00F7766D |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6E620 mov eax, dword ptr fs:[00000030h] | 6_2_00F6E620 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6C600 mov eax, dword ptr fs:[00000030h] | 6_2_00F6C600 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6C600 mov eax, dword ptr fs:[00000030h] | 6_2_00F6C600 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F6C600 mov eax, dword ptr fs:[00000030h] | 6_2_00F6C600 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0101FE3F mov eax, dword ptr fs:[00000030h] | 6_2_0101FE3F |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F7FF60 mov eax, dword ptr fs:[00000030h] | 6_2_00F7FF60 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01030EA5 mov eax, dword ptr fs:[00000030h] | 6_2_01030EA5 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01030EA5 mov eax, dword ptr fs:[00000030h] | 6_2_01030EA5 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01030EA5 mov eax, dword ptr fs:[00000030h] | 6_2_01030EA5 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F7EF40 mov eax, dword ptr fs:[00000030h] | 6_2_00F7EF40 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_0101FEC0 mov eax, dword ptr fs:[00000030h] | 6_2_0101FEC0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F9E730 mov eax, dword ptr fs:[00000030h] | 6_2_00F9E730 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_01038ED6 mov eax, dword ptr fs:[00000030h] | 6_2_01038ED6 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F64F2E mov eax, dword ptr fs:[00000030h] | 6_2_00F64F2E |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00F64F2E mov eax, dword ptr fs:[00000030h] | 6_2_00F64F2E |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FFFF10 mov eax, dword ptr fs:[00000030h] | 6_2_00FFFF10 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 6_2_00FFFF10 mov eax, dword ptr fs:[00000030h] | 6_2_00FFFF10 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0089B5E0 mov eax, dword ptr fs:[00000030h] | 23_2_0089B5E0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AF358 mov eax, dword ptr fs:[00000030h] | 23_2_035AF358 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03678F6A mov eax, dword ptr fs:[00000030h] | 23_2_03678F6A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035ADB40 mov eax, dword ptr fs:[00000030h] | 23_2_035ADB40 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035BEF40 mov eax, dword ptr fs:[00000030h] | 23_2_035BEF40 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035D3B7A mov eax, dword ptr fs:[00000030h] | 23_2_035D3B7A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035D3B7A mov eax, dword ptr fs:[00000030h] | 23_2_035D3B7A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035ADB60 mov ecx, dword ptr fs:[00000030h] | 23_2_035ADB60 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035BFF60 mov eax, dword ptr fs:[00000030h] | 23_2_035BFF60 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03678B58 mov eax, dword ptr fs:[00000030h] | 23_2_03678B58 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DA70E mov eax, dword ptr fs:[00000030h] | 23_2_035DA70E |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DA70E mov eax, dword ptr fs:[00000030h] | 23_2_035DA70E |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0367070D mov eax, dword ptr fs:[00000030h] | 23_2_0367070D |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0367070D mov eax, dword ptr fs:[00000030h] | 23_2_0367070D |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DE730 mov eax, dword ptr fs:[00000030h] | 23_2_035DE730 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0363FF10 mov eax, dword ptr fs:[00000030h] | 23_2_0363FF10 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0363FF10 mov eax, dword ptr fs:[00000030h] | 23_2_0363FF10 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A4F2E mov eax, dword ptr fs:[00000030h] | 23_2_035A4F2E |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A4F2E mov eax, dword ptr fs:[00000030h] | 23_2_035A4F2E |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0366131B mov eax, dword ptr fs:[00000030h] | 23_2_0366131B |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E37F5 mov eax, dword ptr fs:[00000030h] | 23_2_035E37F5 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03675BA5 mov eax, dword ptr fs:[00000030h] | 23_2_03675BA5 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DB390 mov eax, dword ptr fs:[00000030h] | 23_2_035DB390 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B1B8F mov eax, dword ptr fs:[00000030h] | 23_2_035B1B8F |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B1B8F mov eax, dword ptr fs:[00000030h] | 23_2_035B1B8F |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0365D380 mov ecx, dword ptr fs:[00000030h] | 23_2_0365D380 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0366138A mov eax, dword ptr fs:[00000030h] | 23_2_0366138A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03627794 mov eax, dword ptr fs:[00000030h] | 23_2_03627794 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03627794 mov eax, dword ptr fs:[00000030h] | 23_2_03627794 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03627794 mov eax, dword ptr fs:[00000030h] | 23_2_03627794 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0365B260 mov eax, dword ptr fs:[00000030h] | 23_2_0365B260 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0365B260 mov eax, dword ptr fs:[00000030h] | 23_2_0365B260 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03678A62 mov eax, dword ptr fs:[00000030h] | 23_2_03678A62 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h] | 23_2_035A9240 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h] | 23_2_035A9240 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h] | 23_2_035A9240 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h] | 23_2_035A9240 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] | 23_2_035B7E41 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] | 23_2_035B7E41 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] | 23_2_035B7E41 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] | 23_2_035B7E41 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] | 23_2_035B7E41 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] | 23_2_035B7E41 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E927A mov eax, dword ptr fs:[00000030h] | 23_2_035E927A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h] | 23_2_035CAE73 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h] | 23_2_035CAE73 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h] | 23_2_035CAE73 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h] | 23_2_035CAE73 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h] | 23_2_035CAE73 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03634257 mov eax, dword ptr fs:[00000030h] | 23_2_03634257 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B766D mov eax, dword ptr fs:[00000030h] | 23_2_035B766D |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035C3A1C mov eax, dword ptr fs:[00000030h] | 23_2_035C3A1C |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DA61C mov eax, dword ptr fs:[00000030h] | 23_2_035DA61C |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DA61C mov eax, dword ptr fs:[00000030h] | 23_2_035DA61C |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0365FE3F mov eax, dword ptr fs:[00000030h] | 23_2_0365FE3F |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AC600 mov eax, dword ptr fs:[00000030h] | 23_2_035AC600 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AC600 mov eax, dword ptr fs:[00000030h] | 23_2_035AC600 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AC600 mov eax, dword ptr fs:[00000030h] | 23_2_035AC600 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AE620 mov eax, dword ptr fs:[00000030h] | 23_2_035AE620 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035D36CC mov eax, dword ptr fs:[00000030h] | 23_2_035D36CC |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E8EC7 mov eax, dword ptr fs:[00000030h] | 23_2_035E8EC7 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0365FEC0 mov eax, dword ptr fs:[00000030h] | 23_2_0365FEC0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03678ED6 mov eax, dword ptr fs:[00000030h] | 23_2_03678ED6 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B76E2 mov eax, dword ptr fs:[00000030h] | 23_2_035B76E2 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035D16E0 mov ecx, dword ptr fs:[00000030h] | 23_2_035D16E0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03670EA5 mov eax, dword ptr fs:[00000030h] | 23_2_03670EA5 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03670EA5 mov eax, dword ptr fs:[00000030h] | 23_2_03670EA5 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03670EA5 mov eax, dword ptr fs:[00000030h] | 23_2_03670EA5 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_036246A7 mov eax, dword ptr fs:[00000030h] | 23_2_036246A7 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DD294 mov eax, dword ptr fs:[00000030h] | 23_2_035DD294 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DD294 mov eax, dword ptr fs:[00000030h] | 23_2_035DD294 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0363FE87 mov eax, dword ptr fs:[00000030h] | 23_2_0363FE87 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035BAAB0 mov eax, dword ptr fs:[00000030h] | 23_2_035BAAB0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035BAAB0 mov eax, dword ptr fs:[00000030h] | 23_2_035BAAB0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DFAB0 mov eax, dword ptr fs:[00000030h] | 23_2_035DFAB0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h] | 23_2_035A52A5 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h] | 23_2_035A52A5 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h] | 23_2_035A52A5 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h] | 23_2_035A52A5 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h] | 23_2_035A52A5 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035C7D50 mov eax, dword ptr fs:[00000030h] | 23_2_035C7D50 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035CB944 mov eax, dword ptr fs:[00000030h] | 23_2_035CB944 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035CB944 mov eax, dword ptr fs:[00000030h] | 23_2_035CB944 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E3D43 mov eax, dword ptr fs:[00000030h] | 23_2_035E3D43 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03623540 mov eax, dword ptr fs:[00000030h] | 23_2_03623540 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AB171 mov eax, dword ptr fs:[00000030h] | 23_2_035AB171 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AB171 mov eax, dword ptr fs:[00000030h] | 23_2_035AB171 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035CC577 mov eax, dword ptr fs:[00000030h] | 23_2_035CC577 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035CC577 mov eax, dword ptr fs:[00000030h] | 23_2_035CC577 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AC962 mov eax, dword ptr fs:[00000030h] | 23_2_035AC962 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03678D34 mov eax, dword ptr fs:[00000030h] | 23_2_03678D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0362A537 mov eax, dword ptr fs:[00000030h] | 23_2_0362A537 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A9100 mov eax, dword ptr fs:[00000030h] | 23_2_035A9100 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A9100 mov eax, dword ptr fs:[00000030h] | 23_2_035A9100 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A9100 mov eax, dword ptr fs:[00000030h] | 23_2_035A9100 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035D4D3B mov eax, dword ptr fs:[00000030h] | 23_2_035D4D3B |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035D4D3B mov eax, dword ptr fs:[00000030h] | 23_2_035D4D3B |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035D4D3B mov eax, dword ptr fs:[00000030h] | 23_2_035D4D3B |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035D513A mov eax, dword ptr fs:[00000030h] | 23_2_035D513A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035D513A mov eax, dword ptr fs:[00000030h] | 23_2_035D513A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AAD30 mov eax, dword ptr fs:[00000030h] | 23_2_035AAD30 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] | 23_2_035B3D34 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h] | 23_2_035C4120 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h] | 23_2_035C4120 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h] | 23_2_035C4120 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h] | 23_2_035C4120 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035C4120 mov ecx, dword ptr fs:[00000030h] | 23_2_035C4120 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_036341E8 mov eax, dword ptr fs:[00000030h] | 23_2_036341E8 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03658DF1 mov eax, dword ptr fs:[00000030h] | 23_2_03658DF1 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AB1E1 mov eax, dword ptr fs:[00000030h] | 23_2_035AB1E1 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AB1E1 mov eax, dword ptr fs:[00000030h] | 23_2_035AB1E1 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035AB1E1 mov eax, dword ptr fs:[00000030h] | 23_2_035AB1E1 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035BD5E0 mov eax, dword ptr fs:[00000030h] | 23_2_035BD5E0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035BD5E0 mov eax, dword ptr fs:[00000030h] | 23_2_035BD5E0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DFD9B mov eax, dword ptr fs:[00000030h] | 23_2_035DFD9B |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DFD9B mov eax, dword ptr fs:[00000030h] | 23_2_035DFD9B |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h] | 23_2_035A2D8A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h] | 23_2_035A2D8A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h] | 23_2_035A2D8A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h] | 23_2_035A2D8A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h] | 23_2_035A2D8A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DA185 mov eax, dword ptr fs:[00000030h] | 23_2_035DA185 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035CC182 mov eax, dword ptr fs:[00000030h] | 23_2_035CC182 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035D35A1 mov eax, dword ptr fs:[00000030h] | 23_2_035D35A1 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035C0050 mov eax, dword ptr fs:[00000030h] | 23_2_035C0050 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035C0050 mov eax, dword ptr fs:[00000030h] | 23_2_035C0050 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03671074 mov eax, dword ptr fs:[00000030h] | 23_2_03671074 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03662073 mov eax, dword ptr fs:[00000030h] | 23_2_03662073 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DA44B mov eax, dword ptr fs:[00000030h] | 23_2_035DA44B |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035C746D mov eax, dword ptr fs:[00000030h] | 23_2_035C746D |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0363C450 mov eax, dword ptr fs:[00000030h] | 23_2_0363C450 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0363C450 mov eax, dword ptr fs:[00000030h] | 23_2_0363C450 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] | 23_2_03661C06 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h] | 23_2_03626C0A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h] | 23_2_03626C0A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h] | 23_2_03626C0A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h] | 23_2_03626C0A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0367740D mov eax, dword ptr fs:[00000030h] | 23_2_0367740D |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0367740D mov eax, dword ptr fs:[00000030h] | 23_2_0367740D |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0367740D mov eax, dword ptr fs:[00000030h] | 23_2_0367740D |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h] | 23_2_035BB02A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h] | 23_2_035BB02A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h] | 23_2_035BB02A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h] | 23_2_035BB02A |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DBC2C mov eax, dword ptr fs:[00000030h] | 23_2_035DBC2C |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03674015 mov eax, dword ptr fs:[00000030h] | 23_2_03674015 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03674015 mov eax, dword ptr fs:[00000030h] | 23_2_03674015 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03627016 mov eax, dword ptr fs:[00000030h] | 23_2_03627016 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03627016 mov eax, dword ptr fs:[00000030h] | 23_2_03627016 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03627016 mov eax, dword ptr fs:[00000030h] | 23_2_03627016 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03626CF0 mov eax, dword ptr fs:[00000030h] | 23_2_03626CF0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03626CF0 mov eax, dword ptr fs:[00000030h] | 23_2_03626CF0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03626CF0 mov eax, dword ptr fs:[00000030h] | 23_2_03626CF0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_036614FB mov eax, dword ptr fs:[00000030h] | 23_2_036614FB |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03678CD6 mov eax, dword ptr fs:[00000030h] | 23_2_03678CD6 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h] | 23_2_0363B8D0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0363B8D0 mov ecx, dword ptr fs:[00000030h] | 23_2_0363B8D0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h] | 23_2_0363B8D0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h] | 23_2_0363B8D0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h] | 23_2_0363B8D0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h] | 23_2_0363B8D0 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035B849B mov eax, dword ptr fs:[00000030h] | 23_2_035B849B |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035A9080 mov eax, dword ptr fs:[00000030h] | 23_2_035A9080 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DF0BF mov ecx, dword ptr fs:[00000030h] | 23_2_035DF0BF |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DF0BF mov eax, dword ptr fs:[00000030h] | 23_2_035DF0BF |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035DF0BF mov eax, dword ptr fs:[00000030h] | 23_2_035DF0BF |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03623884 mov eax, dword ptr fs:[00000030h] | 23_2_03623884 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_03623884 mov eax, dword ptr fs:[00000030h] | 23_2_03623884 |
| Source: C:\Windows\SysWOW64\cmd.exe | Code function: 23_2_035E90AF mov eax, dword ptr fs:[00000030h] | 23_2_035E90AF |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation | Jump to behavior |
Play interactive tour
Edit tour
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node